Questions for the PCCP were updated on : Dec 01 ,2025
Which tool's analysis data gives security operations teams insight into their environment's risks from
exposed services?
D
Explanation:
Xpanse is a tool from Palo Alto Networks that provides attack surface management by analyzing
exposed services and internet-facing assets, giving security operations teams visibility into
environmental risks and helping prioritize remediation of vulnerabilities.
What is a reason IoT devices are more susceptible to command-and-control (C2) attacks?
B
Explanation:
IoT devices often have constant internet connectivity and increased data sharing, making them more
vulnerable to command-and-control (C2) attacks. Their limited security features and exposure to
external networks provide attackers more opportunities to compromise and control them remotely.
What is an advantage of virtual firewalls over physical firewalls for internal segmentation when
placed in a data center?
A
Explanation:
Virtual firewalls offer the advantage of dynamic scalability, making them ideal for internal
segmentation in data centers. They can be quickly deployed, resized, and adjusted to meet the needs
of changing workloads and environments, unlike physical firewalls which require fixed hardware
resources.
What would allow a security team to inspect TLS encapsulated traffic?
B
Explanation:
Decryption is required to inspect TLS-encrypted traffic, allowing security tools (such as firewalls or
intrusion prevention systems) to analyze the contents of the traffic for threats that would otherwise
remain hidden within encrypted sessions.
What are two limitations of signature-based anti-malware software? (Choose two.)
A, C
Explanation:
Signature-based systems struggle with polymorphic or obfuscated malware, which changes its code
to avoid detection. Signature-based detection relies on static databases of known threat signatures,
limiting its ability to identify new or unknown threats.
Which component of the AAA framework regulates user access and permissions to resources?
A
Explanation:
Authorization is the component of the AAA (Authentication, Authorization, and Accounting)
framework that regulates user access and permissions to resources after identity has been verified. It
determines what actions or resources a user is allowed to access.
What is required for an effective Attack Surface Management (ASM) process?
A
Explanation:
An effective Attack Surface Management (ASM) process requires a real-time, data-rich inventory of
all internet-facing assets. This enables continuous visibility, timely detection of vulnerabilities, and
identification of exposures that attackers could exploit.
What is a purpose of workload security on a Cloud Native Security Platform (CNSP)?
B
Explanation:
Workload security in a Cloud Native Security Platform (CNSP) is designed to secure containers, VMs,
and serverless functions throughout the entire application lifecycle — from development to runtime
— by detecting and blocking vulnerabilities, misconfigurations, and runtime threats.
Which component of cloud security is used to identify misconfigurations during the development
process?
C
Explanation:
Code security focuses on identifying vulnerabilities and misconfigurations early in the development
process. It uses tools like static code analysis and infrastructure-as-code (IaC) scanning to ensure
secure coding and configuration before deployment.
A firewall administrator needs to efficiently deploy corporate account configurations and VPN
settings to targeted mobile devices within the network.
Which technology meets this requirement?
B
Explanation:
Mobile Device Management (MDM) enables firewall administrators to remotely and efficiently
deploy corporate configurations, such as email accounts and VPN settings, to targeted mobile
devices. It ensures consistent policy enforcement and security across all managed devices.
Which activity is a technique in the MITRE ATT&CK framework?
D
Explanation:
Account discovery is a technique in the MITRE ATT&CK framework under the Discovery tactic. It
involves adversaries attempting to identify user accounts on a system or network.
Credential access, lateral movement, and resource development are tactics — high-level objectives
an attacker is trying to achieve.
Which endpoint protection security option can prevent malware from executing software?
A
Explanation:
An application allow list prevents malware from executing by only permitting approved applications
to run on an endpoint. Any unauthorized or unknown software, including malicious programs, is
automatically blocked from executing.
Which two workflows are improved by integrating SIEMs with other security solutions? (Choose
two.)
B, D
Explanation:
Log normalization – SIEMs standardize log formats from various sources, making it easier to analyze
and correlate security events.
Incident response – Integration enables faster detection, investigation, and automated or guided
response to security incidents by using correlated data from multiple tools.
Hardware procurement and security team training are not directly influenced by SIEM integration.
Which two statements apply to the SSL/TLS protocol? (Choose two.)
B, C
Explanation:
SSL/TLS encrypts and authenticates web-based communication to ensure secure data transmission
over networks. It ensures privacy by encrypting the data exchanged between a client and a server,
protecting it from interception or tampering. It doesn’t handle user input like passwords directly.
What are two functions of User and Entity Behavior Analytics (UEBA) data in Prisma Cloud CSPM?
(Choose two.)
A, D
Explanation:
Assessing severity levels – UEBA data helps prioritize incidents by evaluating the risk and severity
based on user and entity behavior.
Detecting and correlating anomalies – UEBA continuously analyzes activity to identify abnormal
behavior and correlate anomalies that may indicate insider threats or compromised accounts.